Nextcloud as a Tor Hidden Service

Install Nextcloud via the official installer script (download.nextcloud.com) or via snap (snap install nextcloud). Configure Nginx to proxy to Nextcloud's PHP-FPM on 127.0.0.1:80. Configure Tor: HiddenServiceDir /var/lib/tor/nextcloud/ and HiddenServicePort 80 127.0.0.1:80. Critical Nextcloud configuration for .onion: in config/config.php, add 'trusted_domains' => ['youraddress.onion'] and 'overwrite.cli.url' => 'http://youraddress.onion'. Without these settings, Nextcloud rejects requests from the .onion domain as untrusted. If Nextcloud is behind Nginx acting as a reverse proxy: add 'trusted_proxies' => ['127.0.0.1'] to config.php. Test access via Tor Browser - the Nextcloud web interface should load and function normally. The first admin account setup requires accessing the .onion URL via Tor Browser during initial configuration.

Nextcloud clients (Desktop sync client, iOS app, Android app) need Tor to connect to a .onion Nextcloud. Desktop sync client: configure SOCKS5 proxy in the Nextcloud Desktop client settings (Settings > Network > Proxy settings > SOCKS5 Host: 127.0.0.1, Port: 9050). After configuring the proxy, add the .onion URL as the server address. The client syncs files through Tor. Mobile clients: on Android, use Orbot with VPN mode enabled (routes all traffic through Tor), then configure the Nextcloud Android app with the .onion URL as server. iOS: use Orbot for iOS with VPN mode, then configure the Nextcloud iOS app. Alternative mobile access: use Tor Browser for Android to access the Nextcloud web interface directly at the .onion URL.

Nextcloud's built-in End-to-End Encryption (E2EE) app encrypts file contents on the client before uploading - the server stores ciphertext and cannot decrypt files. Enable the E2EE app in Nextcloud's administration settings. Users generate an E2EE key pair from the Nextcloud client (Desktop or mobile). Encrypted folders are designated per folder. Files in encrypted folders are encrypted before upload and decrypted after download - the server (and Tor exit nodes for upload/download traffic) never sees plaintext file contents. Combined with .onion transport (hiding file transfer metadata from ISPs) and server-side encryption for files not in E2EE folders, Nextcloud provides multiple encryption layers. Key management: E2EE keys are stored in the user's browser/client. If the client is lost without key backup, access to encrypted files is lost - back up E2EE keys securely.

Nextcloud's app ecosystem includes tools valuable for privacy-focused deployments. Nextcloud Talk: video/audio calls and team chat. Talk works over .onion but video call quality is limited by Tor latency. Use Talk for text chat; for video calls, consider a dedicated Jitsi Meet deployment with a separate .onion. Nextcloud Contacts and Calendar: standard CalDAV/CardDAV sync accessible via .onion. Configure calendar and contacts clients with SOCKS5 proxy and .onion URL. Nextcloud Notes: simple markdown note-taking synced to .onion Nextcloud. Accessible from Tor Browser or Nextcloud mobile apps. External Storage: connect Nextcloud to local storage (same server) rather than external cloud providers (which would reintroduce the trust issues solved by .onion deployment). Avoid S3/Backblaze external storage if data privacy is the goal - the point of self-hosting is keeping data off third-party services.

Tor adds latency to all file operations. Optimization strategies: (1) configure Nextcloud's OPcache for PHP (reduces PHP processing overhead): opcache.enable=1, opcache.memory_consumption=256, in /etc/php/8.x/fpm/php.ini, (2) enable Redis for session cache and file locking: apt install redis-server and configure in Nextcloud config.php (memcache.locking and memcache.distributed), (3) set appropriate chunk size for large file uploads: Nextcloud Desktop client uploads large files in chunks, reducing the impact of Tor circuit interruption during upload, (4) use a VPS with fast disk I/O (NVMe preferred): Tor adds network latency, but disk I/O speed affects how quickly Nextcloud reads and writes files before transmission, (5) for large files (video, large archives): expect slow uploads and downloads via Tor (1-10 Mbit/s). For a personal archive of large files, bandwidth may be the limiting factor more than latency.